If you're using Google Chrome, press CTRL-J and switch to the "Resources" tab. Expand the "Cookies" item, and select the current domain: "natas5.natas..." and lo and behold there is a cookie there. Named
loggedin. With value
0. Remember, the client controls what gets sent in the cookies. That's our attack vector.
I wonder what happens if we change that to a true value, probably
You can't change cookies here, but I have a browser extension that lets me do that. Or, you can use curl again. Once you make a request with a cookie that claims you're logged in, you'll see the password for the next level.
If you ever have to write a web application where users can be logged in, be careful of problems like this. You need to make sure that the client